How do I configure the Okteto wildcard certificate with cert-manager and Route53?
The recommended solution is to use IAM Roles for service accounts.
In order to do that, configure a role with the following policy permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/*"
}
]
}
Create an AWS IAM Role for the cert-manager service account. Replace the variables below with your own information.
eksctl create iamserviceaccount \
--cluster $CLUSTER_NAME \
--region $REGION \
--name cert-manager \
--namespace $RELEASE_NAMESPACE \
--attach-policy-arn $POLICY_ARN \
--role-name ${YOUR_ROLE_NAME} \
--role-only \
--approve
and add these options to your cert-manager Helm configuration file:
extraArgs: [--issuer-ambient-credentials=true]
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: 'arn:aws:iam::<<aws-account-id>>:role/<<your-role-name>>'
Once your cert-manager is configured this way, create the following Issuer
in the okteto
namespace:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: okteto-letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: "<<your-email>>"
privateKeySecretRef:
name: okteto-letsencrypt-acme
solvers:
- http01:
ingress:
serviceType: ClusterIP
class: nginx
- dns01:
route53:
region: "<<your-cluster-region>>"
and the following Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: okteto-letsencrypt
spec:
secretName: okteto-letsencrypt
duration: 8760h0m0s
renewBefore: 600h0m0s # 25d
issuerRef:
name: okteto-letsencrypt
kind: Issuer
dnsNames:
- "*.<<your-okteto-subdomain>>"
Now, add the following to your Okteto Helm configuration file to tell Okteto and NGINX to use your certificate:
wildcardCertificate:
create: false
name: okteto-letsencrypt
ingress-nginx:
controller:
extraArgs:
default-ssl-certificate: $(POD_NAMESPACE)/okteto-letsencrypt
Finally, upgrade your Okteto installation for the new configuration to be applied.
For troubleshooting, you can check the cert manager logs, and the events associated to the resources Challenge
, Order
and CertificateRequest
.
There is a typo in the document
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/*"
},
]
}
Should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:GetChange",
"Resource": "arn:aws:route53:::change/*"
},
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/*"
}
]
}
Thanks @davidtacheny , updated!
I’ve done this a few times and I keep struggling on the commands to do this, so here’s it for people unfamiliar with Kubernetes.
- Make sure you’re in the right context
helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.13.1 \ --set installCRDs=true --set "extraArgs[0]=--issuer-ambient-credentials=true" \ --set "serviceAccount.annotations.eks\.amazonaws\.com/role-arn=arn:aws:iam::XXXXXXXXX:role/eksctl-okteto-cluster-ServiceRole-XXXXXXX"
kubectl apply -f issuer.yaml -n okteto
kubectl apply -f certificate.yaml -n okteto